FileDocCategorySizeDatePackage
CookieAuthenticationFilter.javaAPI DocExample4003Fri Sep 03 10:36:22 BST 2004com.oreilly.strutsckbk.ch11

CookieAuthenticationFilter

public class CookieAuthenticationFilter extends Object implements Filter
Filter which handles application authentication. The filter implements the following policy:
  1. If the user is in the session the filter exits;
  2. If not, the authentication cookies are looked for;
  3. If found, the authentication is attempted
  4. If authentication is successful, the user is object is stored in the session
  5. Otherwise, the cookies are invalid and subsequently removed from the response
author
Bill Siggelkow

Fields Summary
private String
onFailure
private FilterConfig
filterConfig
private static final Log
log
Constructors Summary
Methods Summary
public voiddestroy()

        // Nothing necessary
public voiddoFilter(javax.servlet.ServletRequest request, javax.servlet.ServletResponse response, javax.servlet.FilterChain chain)

        HttpServletRequest req = (HttpServletRequest) request;
        HttpServletResponse res = (HttpServletResponse) response;
        
        String contextPath = req.getContextPath();
        // if the requested page is the onFailure page continue
        // down the chain to avoid an infinite redirect loop        
        if (req.getServletPath().equals(onFailure)) {
            chain.doFilter(request, response);
            return;
        }
    
        HttpSession session = req.getSession(); // get the session or create it
        User user = (User) session.getAttribute(Constants.USER_KEY);
        if (log.isDebugEnabled()) log.debug("User in session:"+user);

        // if user is null get credentials from cookie; otherwise continue
        if (user == null) {
            boolean authentic = false;
            Credentials credentials = SecurityUtils.findCredentials(req);
            if (credentials != null) {
                SecurityService security = getSecurityService();
                try {
                    if (log.isDebugEnabled()) log.debug("Checking authentication");
                    user = security.authenticate(credentials);
                    session.setAttribute(Constants.USER_KEY, user);
                    authentic = true;
                }
                catch (Exception e) {
                    log.error("Unexpected authentication failure.", e);
                    SecurityUtils.removeCredentials(res);
                }
            }
    
            // if not authentic redirect to the logon page
            if (!authentic) {
                res.sendRedirect(contextPath+onFailure);
                //abort filter instead of chaining
                return;
            }
        }
        if (log.isDebugEnabled()) log.debug("Continuing filter chain ...");
        chain.doFilter(request, response);
protected SecurityServicegetSecurityService()

        ServletContext ctx = filterConfig.getServletContext();
        return new SecurityServiceImpl((UserDatabase)ctx.getAttribute(Constants.DATABASE_KEY));
public voidinit(javax.servlet.FilterConfig filterConfig)


          
        this.filterConfig = filterConfig;
        onFailure = filterConfig.getInitParameter("onFailure");